Skip to main content

Crate maec

Crate maec 

Source
Expand description

maec-rs — MAEC 5.0 implementation in Rust

This crate provides a complete implementation of MAEC (Malware Attribute Enumeration and Characterization) 5.0 with:

  • All MAEC objects (Package, MalwareFamily, MalwareInstance, Behavior, etc.)
  • JSON and XML serialization via serde
  • Builder pattern for ergonomic object construction
  • Comprehensive error handling
  • Type-safe IDs and references

§Examples

use maec::{Package, MalwareFamily, Name};

// Create a malware family
let family = MalwareFamily::builder()
    .name(Name::new("WannaCry"))
    .description("Ransomware family first seen in May 2017")
    .add_label("ransomware")
    .build()
    .unwrap();

// Create a package containing the family
let package = Package::builder()
    .add_malware_family(family)
    .build()
    .unwrap();

// Serialize to JSON
let json = serde_json::to_string_pretty(&package).unwrap();
println!("{}", json);

§STIX Integration

MAEC complements STIX (Structured Threat Information Expression) by providing detailed malware analysis data. MAEC objects can reference STIX Cyber Observable Objects (files, network traffic, etc.) via the observable_objects field in Package.

Re-exports§

pub use common::extract_type_from_id;
pub use common::generate_maec_id;
pub use common::is_valid_maec_id;
pub use common::is_valid_ref_for_type;
pub use common::CommonProperties;
pub use common::ExternalReference;
pub use common::MaecObject;
pub use error::BuilderError;
pub use error::MaecError;
pub use error::Result;
pub use objects::Behavior;
pub use objects::BehaviorBuilder;
pub use objects::Capability;
pub use objects::CapabilityBuilder;
pub use objects::Collection;
pub use objects::FieldData;
pub use objects::FieldDataBuilder;
pub use objects::MaecObjectType;
pub use objects::MalwareAction;
pub use objects::MalwareFamily;
pub use objects::MalwareFamilyBuilder;
pub use objects::MalwareInstance;
pub use objects::MalwareInstanceBuilder;
pub use objects::Name;
pub use objects::Package;
pub use objects::PackageBuilder;
pub use objects::Relationship;
pub use objects::RelationshipBuilder;
pub use vocab::AnalysisConclusionType;
pub use vocab::AnalysisEnvironment;
pub use vocab::AnalysisType;
pub use vocab::ConfidenceMeasure;
pub use vocab::DeliveryVector;
pub use vocab::EntityAssociation;
pub use vocab::MalwareLabel;
pub use vocab::ObfuscationMethod;
pub use vocab::ProcessorArchitecture;
pub use vocab_large::Behavior as BehaviorVocab;
pub use vocab_large::Capability as CapabilityVocab;
pub use vocab_large::CommonAttribute;
pub use vocab_large::MalwareAction as MalwareActionVocab;
pub use vocab_large::MalwareConfigurationParameter;
pub use vocab_large::OsFeature;

Modules§

common
Common MAEC types and utilities
error
Error types for MAEC operations
objects
MAEC objects module
vocab
MAEC 5.0 Open Vocabularies
vocab_large
Large MAEC vocabularies (Behavior, Action, Operating System enums)

Constants§

MEDIA_TYPE_MAEC
MAEC 5.0 JSON media type for HTTP Content-Type headers
MEDIA_TYPE_MAEC_GENERIC
Generic MAEC JSON media type (without version)